Privacy Policy

Last updated: March 2026

1. Introduction and Data Controller

Paul-Jasper Sahr ("Gemhog", "we", "us") operates the website gemhog.com and the Gemhog investment research service. We are the data controller responsible for your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the German Digitale-Dienste-Gesetz (DDG).

Paul-Jasper Sahr
Quellenweg 162a, 26129 Oldenburg
Germany


Email: hello@gemhog.com

This policy explains what personal data we collect, why we collect it, how we process it, and what rights you have under GDPR Articles 13 and 14.

2. Data We Collect

Identity Data

  • Email address
  • Display name
  • Profile image (from sign-in provider)

Authentication Data

  • Session tokens (stored as HTTP-only cookies)
  • One-time passwords (OTP codes — used for verification only, not stored after verification)

Technical Data

  • IP address
  • Browser user agent
  • Device type
  • Referring URL

Usage Data

  • Page views and feature interactions
  • PostHog analytics events (e.g. landing_page_viewed, subscribe_started, subscribe_completed)

Error Data

  • Stack traces and console logs
  • Breadcrumbs and session IDs (Sentry)

Payment Data

  • Subscription status, plan type, and order history (managed by Polar)
  • We do not store credit card numbers or payment card data — Polar is the merchant of record and handles all card processing directly

Support Data

  • Messages and conversation history submitted via customer support chat (Chatwoot)

Newsletter Data

  • Email address
  • Subscription status
  • Unsubscribe date (if applicable)

3. How We Use Your Data and Legal Basis

We process personal data only when we have a lawful basis under GDPR Article 6:

Performance of Contract — Art. 6(1)(b) GDPR

  • Account creation and management
  • Authentication (login, session management, OTP verification)
  • Subscription management and billing via Polar
  • Core service delivery — providing investment research content, claim summaries, and podcast analysis
  • Transactional email delivery (account notifications, subscription confirmations)

Consent — Art. 6(1)(a) GDPR

  • Product analytics via PostHog (controlled via cookie consent)
  • Error tracking via Sentry (controlled via cookie consent)
  • Newsletter subscription

Legitimate Interest — Art. 6(1)(f) GDPR

  • Security logging — IP address logging for fraud prevention and abuse detection
  • Basic server logging for infrastructure stability and debugging

4. Third-Party Sub-processors

We share personal data with the following sub-processors, each for a specific purpose:

PostHog (EU — Frankfurt)

Product analytics and feature tracking. Endpoint: eu.i.posthog.com. Data processed: anonymous usage events; identified user events when logged in. Retention: per PostHog retention policy.


PostHog Privacy Policy

Sentry (DE — Germany)

Error tracking and crash reporting. Endpoint: ingest.de.sentry.io. Data processed: stack traces, console breadcrumbs, session IDs. Retention: 90 days.


Sentry Privacy Policy

Resend (US)

Transactional email delivery. Data processed: email address, email content. International transfer safeguard: Standard Contractual Clauses (SCCs).


Resend Privacy Policy

Polar (US)

Payment processing and subscription management. Polar acts as the merchant of record — credit card data is processed exclusively by Polar and is never stored by Gemhog. Data processed: email address, subscription plan, order history. International transfer safeguard: Standard Contractual Clauses (SCCs).


Polar Privacy Policy

Amazon Web Services (EU — Frankfurt)

Infrastructure, database hosting, and compute. Region: eu-central-1 (Frankfurt). Data processed: all user data is stored on AWS infrastructure.


AWS Privacy Policy

Cloudflare (US/EU)

DNS, CDN, and DDoS protection. Data processed: IP addresses, request headers. International transfer safeguard: Standard Contractual Clauses (SCCs).


Cloudflare Privacy Policy

Chatwoot (Self-hosted)

Customer support chat. Self-hosted on our infrastructure. Data processed: support conversation content, email address.


Chatwoot Privacy Policy

Anthropic (US)

LLM processing (Claude) for podcast content analysis. Data processed: podcast transcript excerpts only — no personal user data is sent to Anthropic. International transfer safeguard: Standard Contractual Clauses (SCCs).


Anthropic Privacy Policy

OpenAI (US)

LLM processing (GPT) for content analysis. Data processed: podcast transcript excerpts only — no personal user data is sent to OpenAI. International transfer safeguard: Standard Contractual Clauses (SCCs).


OpenAI Privacy Policy

5. International Data Transfers

PostHog, Sentry, and Amazon Web Services process your data within the European Union (Frankfurt, Germany). Chatwoot is self-hosted on our own EU infrastructure.

Resend, Polar, Cloudflare, Anthropic, and OpenAI are based in the United States. Transfers of personal data to these processors are made under Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46(2)(c), ensuring an adequate level of data protection.

6. Data Retention

  • User accounts: retained until you request deletion or your account is terminated
  • Session tokens: 30 days (rolling refresh)
  • OTP codes: immediately discarded after verification
  • PostHog analytics events: per PostHog retention settings (default 365 days)
  • Sentry error data: 90 days
  • Newsletter subscriber data: email retained until unsubscribe + 30 days for bounce processing
  • Payment records: retained as required by German tax and commercial law (typically 10 years pursuant to § 147 AO, § 257 HGB)
  • Server logs: 30 days rolling

7. Your Rights under GDPR

Under GDPR Articles 15–22, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you. Email hello@gemhog.com to submit a data subject access request (DSAR).
  • Right to rectification (Art. 16): You may update your account information directly, or contact us to correct inaccurate data.
  • Right to erasure (Art. 17): You may request deletion of your personal data by emailing hello@gemhog.com.
  • Right to restriction of processing (Art. 18): You may request that we restrict processing of your data in certain circumstances. Contact us at hello@gemhog.com.
  • Right to data portability (Art. 20): You may request your personal data in a structured, commonly used, and machine-readable format. Email hello@gemhog.com and we will provide your data.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent: Where processing is based on consent (e.g. analytics, error tracking), you may withdraw consent at any time by managing your cookie preferences via the Cookie Settings on our website. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. Your competent authority is Die Landesbeauftragte für den Datenschutz Niedersachsen (or your local EU data protection authority).

8. AI and Automated Processing

In accordance with EU AI Act transparency obligations, we disclose the following about our use of artificial intelligence:

  • Gemhog uses large language models -- Anthropic Claude and OpenAI GPT -- to extract investment claims and key insights from podcast transcripts.
  • AI processing is editorial in nature: it helps surface and structure publicly available information from podcasts. It does not generate investment advice.
  • AI is not used to make decisions about individual users. There is no credit scoring, profiling, or automated individual decision-making as defined in GDPR Article 22.
  • AI outputs may contain errors, misattributions, or omissions. Users should always verify claims against the original podcast sources.
  • No personal user data is sent to LLM providers. Only podcast transcript content is processed by these services.

9. Cookies

We use cookies and similar technologies. For detailed information about the specific cookies we set, their purposes, and how to manage your preferences, please see our Cookie Policy.

10. Children

Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@gemhog.com and we will delete it promptly.

11. Updates to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. We will notify registered users and newsletter subscribers by email of any material changes. The date of the most recent update is shown at the top of this page.